github/tor-guard-relay
1
1
Fork 0
mirror of https://github.com/r3bo0tbx1/tor-guard-relay.git synced 2026-04-06 00:32:04 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat(v1.1.4): modernize templates, security, and build variants

Browse Source 
This update refines the Tor relay configuration and build process:
- Security: Disables DirPort and adopts ciissversion:2 for ContactInfo.
- Performance: Adds IPv6 support and hardware acceleration options.
- Builds: Establishes Stable vs. Edge variants for better testing cycles.
- Tooling: Integrates nyx.config and cleans up legacy tags.
- Sync: Aligns cosmos-compose and docker-compose templates.
- Update retention policy: Keep last 7 versions

No breaking changes introduced.
This commit is contained in:
rE-Bo0t.bx1
2025-12-21 03:14:39 +08:00
parent ce8cd42875
commit 5120d0d0e9
26 changed files with 329 additions and 282 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
.github/workflows/cleanup.yml vendored
View File

@@ -4,12 +4,17 @@ on:
schedule:
- cron: '0 0 * * 0'
workflow_dispatch:
push:
tags:
- 'v*.*.*'
permissions:
actions: write
packages: write
jobs:
clear-cache:
name: 💥 Nuke Caches
runs-on: ubuntu-latest
steps:
- name: 💥 Nuke GitHub Actions Cache
@@ -18,4 +23,63 @@ jobs:
run: |
echo "🔍 meaningful-text: check for caches..."
gh cache delete --all --repo ${{ github.repository }} || true
echo "✅ Cache storage is now empty."
echo "✅ Cache storage is now empty."
prune-ghcr:
name: 🧊 Prune GHCR
runs-on: ubuntu-latest
steps:
- name: 🗑️ Delete old GHCR versions
uses: actions/delete-package-versions@v5
with:
package-name: 'onion-relay'
package-type: 'container'
min-versions-to-keep: 14
ignore-versions: '^(latest|edge)$'
delete-only-untagged-versions: 'false'
prune-dockerhub:
name: 🐋 Prune Docker Hub
runs-on: ubuntu-latest
steps:
- name: 📥 Checkout Repository
uses: actions/checkout@v5
- name: 🪄 Clean Docker Hub Tags
env:
DOCKER_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKER_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
REPOSITORY: "r3bo0tbx1/onion-relay"
run: |
set -e
echo "🔑 Authenticating with Docker Hub..."
TOKEN=$(curl -s -H "Content-Type: application/json" -X POST \
-d "{\"username\": \"$DOCKER_USERNAME\", \"password\": \"$DOCKER_PASSWORD\"}" \
https://hub.docker.com/v2/users/login/ | jq -r .token)
if [ "$TOKEN" == "null" ] || [ -z "$TOKEN" ]; then
echo "❌ Authentication failed. Check DOCKERHUB_TOKEN."
exit 1
fi
echo "🔍 Fetching tags for $REPOSITORY..."
ALL_TAGS=$(curl -s -H "Authorization: JWT $TOKEN" \
"https://hub.docker.com/v2/repositories/$REPOSITORY/tags/?page_size=100")
# Filter out moving tags and count only the real version tags
VERSION_TAGS=$(echo "$ALL_TAGS" | jq -r '.results | sort_by(.last_updated) | reverse | .[].name' | grep -E -v "^(latest|edge)$" || true)
COUNT=$(echo "$VERSION_TAGS" | wc -w)
echo "📊 Found $COUNT versioned tags."
if [ "$COUNT" -gt 14 ]; then
OLD_TAGS=$(echo "$VERSION_TAGS" | awk 'NR>14')
for TAG in $OLD_TAGS; do
echo "🗑️ Deleting old versioned tag: $TAG"
curl -s -H "Authorization: JWT $TOKEN" -X DELETE \
"https://hub.docker.com/v2/repositories/$REPOSITORY/tags/$TAG/"
done
echo "✅ Docker Hub cleanup complete."
else
echo "✨ Current version count ($COUNT) is within the limit. No deletion needed."
fi

39
.github/workflows/release.yml vendored
View File

@@ -69,7 +69,7 @@ jobs:
run: |
set -e
echo "🔍 Determining version context..."
BUILD_VARIANTS="both" # Default: build both variants
BUILD_VARIANTS="both"
if [[ "${GITHUB_REF}" == refs/tags/v* ]]; then
VERSION="${GITHUB_REF#refs/tags/v}"
@@ -83,14 +83,12 @@ jobs:
LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v1.0.0")
if [[ "${BUILD_MODE}" == "rebuild" ]]; then
# Rebuild mode: Use last release version (same as weekly)
VERSION="${LATEST_TAG#v}"
BUILD_TYPE="manual-rebuild"
IS_RELEASE="false"
echo "🔄 Manual rebuild of last release: ${VERSION} (with updated packages)"
echo " Variants: ${BUILD_VARIANTS}"
else
# Version bump mode: Create new version with suffix
VERSION="${LATEST_TAG#v}-manual-${GITHUB_RUN_NUMBER}"
BUILD_TYPE="manual"
IS_RELEASE="false"
@@ -98,25 +96,21 @@ jobs:
echo " Variants: ${BUILD_VARIANTS}"
fi
elif [[ "${GITHUB_EVENT_NAME}" == "schedule" ]]; then
# Scheduled rebuild: Determine which schedule based on time
LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v1.0.0")
VERSION="${LATEST_TAG#v}"
IS_RELEASE="false"
CURRENT_HOUR=$(date -u +%H)
if [[ "${CURRENT_HOUR}" == "18" ]]; then
# Weekly rebuild (Sundays 18:30 UTC): Build stable only
BUILD_TYPE="weekly"
BUILD_VARIANTS="latest"
echo "📅 Weekly rebuild of last release: ${VERSION} (stable variant with updated packages)"
else
# Edge-only rebuild (Every 3 days at 12:00 UTC): Build edge only
BUILD_TYPE="edge-rebuild"
BUILD_VARIANTS="edge"
echo "⚡ Edge-only rebuild of last release: ${VERSION} (edge variant with updated packages)"
fi
else
# Fallback (shouldn't happen)
LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v1.0.0")
VERSION="${LATEST_TAG#v}"
BUILD_TYPE="unknown"
@@ -179,7 +173,6 @@ jobs:
BUILD_VARIANTS="${{ needs.determine-version.outputs.build_variants }}"
VARIANT_NAME="${{ matrix.variant.name }}"
# Determine if this variant should be built
SHOULD_BUILD="false"
if [ "$BUILD_VARIANTS" = "both" ]; then
@@ -306,32 +299,24 @@ jobs:
TAGS=()
# Always add GHCR versioned tag
TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:${VERSION}${SUFFIX}")
if [ "$BUILD_TYPE" = "release" ]; then
# New release: Add special tags
if [ "$IS_LATEST" = "true" ]; then
# Stable variant gets :latest
TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:latest")
else
# Edge variant gets :edge
TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:edge")
fi
# Add Docker Hub tags
if [ "$PUSH_DOCKERHUB" = "true" ]; then
if [ "$IS_LATEST" = "true" ]; then
# Stable: versioned tag + :latest
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:${VERSION}")
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:latest")
else
# Edge: only :edge (no versioned tag for Docker Hub)
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:edge")
fi
fi
elif [ "$BUILD_TYPE" = "weekly" ] || [ "$BUILD_TYPE" = "manual-rebuild" ] || [ "$BUILD_TYPE" = "edge-rebuild" ]; then
# Weekly rebuild, manual rebuild, or edge-only rebuild: Update version tag with fresh packages
if [ "$IS_LATEST" = "true" ]; then
TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:latest")
else
@@ -340,21 +325,17 @@ jobs:
if [ "$PUSH_DOCKERHUB" = "true" ]; then
if [ "$IS_LATEST" = "true" ]; then
# Stable: versioned tag + :latest
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:${VERSION}")
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:latest")
else
# Edge: only :edge (no versioned tag for Docker Hub)
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:edge")
fi
fi
else
# Manual/validated builds: version tag only
if [ "$PUSH_DOCKERHUB" = "true" ]; then
if [ "$IS_LATEST" = "true" ]; then
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:${VERSION}")
else
# Edge manual builds: only :edge for Docker Hub
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:edge")
fi
fi
@@ -400,7 +381,6 @@ jobs:
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
# Install syft for SBOM generation
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
VERSION="${{ needs.determine-version.outputs.version }}"
@@ -412,27 +392,22 @@ jobs:
echo " Image: ${IMAGE}"
echo ""
# Generate CycloneDX JSON
echo "📄 Generating CycloneDX JSON format..."
syft "${IMAGE}" -o cyclonedx-json > "sbom-${VARIANT}-cyclonedx-v${VERSION}.json"
echo " ✅ sbom-${VARIANT}-cyclonedx-v${VERSION}.json"
# Generate CycloneDX XML
echo "📄 Generating CycloneDX XML format..."
syft "${IMAGE}" -o cyclonedx-xml > "sbom-${VARIANT}-cyclonedx-v${VERSION}.xml"
echo " ✅ sbom-${VARIANT}-cyclonedx-v${VERSION}.xml"
# Generate SPDX JSON
echo "📄 Generating SPDX JSON format..."
syft "${IMAGE}" -o spdx-json > "sbom-${VARIANT}-spdx-v${VERSION}.json"
echo " ✅ sbom-${VARIANT}-spdx-v${VERSION}.json"
# Generate SPDX tag-value
echo "📄 Generating SPDX tag-value format..."
syft "${IMAGE}" -o spdx-tag-value > "sbom-${VARIANT}-spdx-v${VERSION}.spdx"
echo " ✅ sbom-${VARIANT}-spdx-v${VERSION}.spdx"
# Generate human-readable table
echo "📄 Generating human-readable table..."
syft "${IMAGE}" -o table > "sbom-${VARIANT}-table-v${VERSION}.txt"
echo " ✅ sbom-${VARIANT}-table-v${VERSION}.txt"
@@ -453,7 +428,7 @@ jobs:
sbom-${{ matrix.variant.name }}-*.xml
sbom-${{ matrix.variant.name }}-*.spdx
sbom-${{ matrix.variant.name }}-*.txt
retention-days: 90
retention-days: 7
release-notes:
name: 📝 Generate Release Notes
@@ -478,7 +453,6 @@ jobs:
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
# Try to extract from CHANGELOG.md first
CHANGELOG_FOUND=0
if [ -f CHANGELOG.md ]; then
@@ -490,9 +464,10 @@ jobs:
p
' CHANGELOG.md > tmp_notes.txt
sed -i '/^$/N;/^\n$/D' tmp_notes.txt 2>/dev/null || true
if [ -s tmp_notes.txt ]; then
sed -i '${/^---[[:space:]]*$/d;}' tmp_notes.txt
sed -i ':a; /^[ \n\r\t]*$/ { $d; N; ba }' tmp_notes.txt 2>/dev/null || true
echo "✅ Found changelog section for v${VERSION} in CHANGELOG.md"
CHANGELOG_FOUND=1
@@ -506,17 +481,14 @@ jobs:
echo "⚠️ CHANGELOG.md not found"
fi
# Fall back to auto-generated notes from commits
if [ "$CHANGELOG_FOUND" = "0" ]; then
echo "📋 Auto-generating release notes from commits..."
if [ -x scripts/release/generate-release-notes.sh ]; then
# Use auto-generation script
chmod +x scripts/release/generate-release-notes.sh
./scripts/release/generate-release-notes.sh --format github "${VERSION}" > release_notes.md
echo "✅ Auto-generated release notes from conventional commits"
else
# Simple fallback
echo "## 🧅 Tor Guard Relay v${VERSION}" > release_notes.md
echo "" >> release_notes.md
echo "### Changes" >> release_notes.md
@@ -529,7 +501,6 @@ jobs:
fi
fi
# Append Docker images and SBOM info
echo "" >> release_notes.md
echo "---" >> release_notes.md
echo "" >> release_notes.md

2
.github/workflows/validate.yml vendored
View File

@@ -508,7 +508,7 @@ jobs:
with:
name: trivy-security-report
path: trivy-full-report.json
retention-days: 30
retention-days: 7
continue-on-error: true
- name: 📋 Generate Security Summary